From 7897c3bd7e0cfd81d8b5b9fd5fdd959df8026819 Mon Sep 17 00:00:00 2001
From: Arne Schwabe <arne@openvpn.net>
Date: Wed, 13 Oct 2021 15:30:11 +0200
Subject: [PATCH] Rename OPENVPN_USE_TLS_MD5 to
 OPENVPN_ALLOW_INSECURE_CERTPROFILE

With OpenSSL 3.0 the name with MD5 no longer makes sense as it affects
not only MD5 but also SHA1 and number of other settings. So replace the
define with a more fitting name.

Signed-off-by: Arne Schwabe <arne@openvpn.net>
---
 javacli/build-android            |  2 +-
 openvpn/mbedtls/ssl/sslctx.hpp   |  4 ++--
 openvpn/openssl/ssl/sslctx.hpp   |  2 +-
 openvpn/ssl/tls_cert_profile.hpp | 10 +++++-----
 test/ovpncli/cli.cpp             |  2 +-
 5 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/javacli/build-android b/javacli/build-android
index 2fcfa404..0ea3a166 100755
--- a/javacli/build-android
+++ b/javacli/build-android
@@ -75,7 +75,7 @@ $GPP_CMD \
     -DASIO_STANDALONE \
     -DASIO_NO_DEPRECATED \
     -DHAVE_LZ4 \
-    -DOPENVPN_USE_TLS_MD5 \
+    -DOPENVPN_ALLOW_INSECURE_CERTPROFILE \
     -DASIO_HAS_STD_STRING_VIEW \
     -I$O3/core/client \
     -I$O3/core \
diff --git a/openvpn/mbedtls/ssl/sslctx.hpp b/openvpn/mbedtls/ssl/sslctx.hpp
index 044dd913..fcc854f8 100644
--- a/openvpn/mbedtls/ssl/sslctx.hpp
+++ b/openvpn/mbedtls/ssl/sslctx.hpp
@@ -138,7 +138,7 @@ namespace openvpn {
        * X509 cert profiles.
        */
 
-#ifdef OPENVPN_USE_TLS_MD5
+#ifdef OPENVPN_ALLOW_INSECURE_CERTPROFILE
       // This profile includes the broken MD5 alrogithm.
       // We are going to ship support for this algorithm for a limited
       // amount of time to allow our users to switch to something else
@@ -598,7 +598,7 @@ namespace openvpn {
       {
 	switch (TLSCertProfile::default_if_undef(tls_cert_profile))
 	  {
-#ifdef OPENVPN_USE_TLS_MD5
+#ifdef OPENVPN_ALLOW_INSECURE_CERTPROFILE
 	  case TLSCertProfile::INSECURE:
 	    return &mbedtls_ctx_private::crt_profile_insecure;
 #endif
diff --git a/openvpn/openssl/ssl/sslctx.hpp b/openvpn/openssl/ssl/sslctx.hpp
index 90e30d9e..a9c91860 100644
--- a/openvpn/openssl/ssl/sslctx.hpp
+++ b/openvpn/openssl/ssl/sslctx.hpp
@@ -1314,7 +1314,7 @@ namespace openvpn {
 	    OPENVPN_THROW(ssl_context_error,
 			  "OpenSSLContext: undefined tls-cert-profile");
 	    break;
-#ifdef OPENVPN_USE_TLS_MD5
+#ifdef OPENVPN_ALLOW_INSECURE_CERTPROFILE
 	  case TLSCertProfile::INSECURE:
 	    SSL_CTX_set_security_level(ctx, 0);
 	    break;
diff --git a/openvpn/ssl/tls_cert_profile.hpp b/openvpn/ssl/tls_cert_profile.hpp
index 0cc11a1c..7e28e007 100644
--- a/openvpn/ssl/tls_cert_profile.hpp
+++ b/openvpn/ssl/tls_cert_profile.hpp
@@ -34,7 +34,7 @@ namespace openvpn {
   namespace TLSCertProfile {
     enum Type {
       UNDEF=0,
-#ifdef OPENVPN_USE_TLS_MD5
+#ifdef OPENVPN_ALLOW_INSECURE_CERTPROFILE
       INSECURE,
 #endif
       LEGACY,
@@ -56,7 +56,7 @@ namespace openvpn {
 	{
 	case UNDEF:
 	  return "UNDEF";
-#ifdef OPENVPN_USE_TLS_MD5
+#ifdef OPENVPN_ALLOW_INSECURE_CERTPROFILE
 	case INSECURE:
 	  return "INSECURE";
 #endif
@@ -73,7 +73,7 @@ namespace openvpn {
 
     inline Type parse_tls_cert_profile(const std::string& profile_name)
     {
-#ifdef OPENVPN_USE_TLS_MD5
+#ifdef OPENVPN_ALLOW_INSECURE_CERTPROFILE
       if (profile_name == "insecure")
 	return INSECURE;
       else
@@ -108,7 +108,7 @@ namespace openvpn {
       const Type orig = type;
       if (override.empty() || override == "default")
 	;
-#ifdef OPENVPN_USE_TLS_MD5
+#ifdef OPENVPN_ALLOW_INSECURE_CERTPROFILE
       else if (override == "insecure-default")
         {
 	  if (orig == UNDEF)
@@ -125,7 +125,7 @@ namespace openvpn {
 	  if (orig == UNDEF)
 	    type = PREFERRED;
 	}
-#ifdef OPENVPN_USE_TLS_MD5
+#ifdef OPENVPN_ALLOW_INSECURE_CERTPROFILE
       else if (override == "insecure")
 	type = INSECURE;
 #endif
diff --git a/test/ovpncli/cli.cpp b/test/ovpncli/cli.cpp
index 8e3d23b1..f20d39be 100644
--- a/test/ovpncli/cli.cpp
+++ b/test/ovpncli/cli.cpp
@@ -1302,7 +1302,7 @@ int openvpn_client(int argc, char *argv[], const std::string* profile_content)
       std::cout << "--tvm-override, -M    : tls-version-min override (disabled, default, tls_1_x)" << std::endl;
       std::cout << "--legacy-algorithms, -L: Enable legacy algorithm (OpenSSL legacy provider)" << std::endl;
       std::cout << "--tcprof-override, -X : tls-cert-profile override (" <<
-#ifdef OPENVPN_USE_TLS_MD5
+#ifdef OPENVPN_ALLOW_INSECURE_CERTPROFILE
           "insecure, " <<
 #endif
           "legacy, preferred, etc.)" << std::endl;